Static analysis security scanner for Ruby on Rails

We are excited to announce Brakeman Pro has been acquired by Synopsys.

Started in 2014, Brakeman Pro has been a partnership between Justin Collins, Neil Matatall, Jim Manico, and Adam Korman. Although it’s been an unconventional journey, we are all grateful to have traveled it together. Sincere thanks to the many folks who supported, promoted, and encouraged us along the way.

Justin Collins will be joining Synopsys to help integrate the Brakeman Pro Engine into their static application security testing (SAST) offerings, as well as continuing to develop and support the Brakeman OSS project. This is an exciting opportunity to focus on improving and expanding SAST for the Ruby community.

Brakeman OSS

This Brakeman OSS project is part of the acquisition, and Synopsys now owns the copyright previously held by Brakeman, Inc.

However, under the new license, it is no longer possible to use Brakeman OSS for the development of a commercial product or online service or to resell Brakeman OSS as a service. Companies wishing to do either will require a commercial agreement with Synopsys. Please see here for more details.

Thank You

Thank you again to our customers, friends, and family who supported us in making the web a little bit safer!

Safe Literals

This version of Brakeman introduces a new way of handling “known safe” values (integers, string literals, etc.) where the exact value is unknown. The uses of the values will be replaced with :BRAKEMAN_SAFE_LITERAL instead of actual values, as Brakeman had done previously. The new approach avoids some unhelpful side-effects and allows for more of this kind of thing in the future.

These changes fix up a number of false positives.

Array Safe Literals

In situations like

["hello", "there"].each do |s|
something_with(s)
end

Brakeman will replace s inside the block with :BRAKEMAN_SAFE_LITERAL, since the value must be a string (or nil, but Brakeman doesn’t worrry about that).

Array#map and Array#each are currently supported.

Hash Access with Unknown Key

In code like

some_hash = { x: 1, y: 2}
result = some_hash[some_var]

Brakeman will replace result with :BRAKEMAN_SAFE_LITERAL since the value must be an integer.

Symbolized Keys in Params

Conditionals in Shell Commands

Use of interpolated if expressions (or the ternary version) in shell commands is now handled better, thanks to Jacob Evelyn. The values of the branches will be checked for dangerous values before warning.

Parent Calls

Brakeman now tracks the parent method call (I’m sure there’s a better way to say that) of an argument. While this ended up not being needed for this release, it will help improve checks and messages in the future.

Please note there have been a number of vulnerabilities in the Rails HTML sanitization methods over the years. Only use sanitization when an application must accept and render HTML from an untrusted source. Otherwise, escape outputs instead.

Symbol DoS False Positive

Open Redirect False Positive

Shellwords Escaping

Brakeman will no longer warn about command injection when Shellwords.escape and friends are used.

Please note that user input in shell commands is rarely a good idea, even if escaped, since they can change the behavior of the program in unexpected ways. Many Linux tools have options that allow arbitrary code execution.